Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences

  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.
Sign in

Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

You're formatting messages the wrong way

Iain Thomson in San Francisco Wed 11 Oct 2017 // 21:15 UTC

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.

You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.

The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.

"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.

"Unlike other cases we kind of stumbled upon the first indications of this vulnerability by pure coincidence (we did not search for Outlook vulnerabilities). We knew something was seriously wrong when we noticed that the contents of S/MIME encrypted mails were shown in Outlook Web Access."

There are other side effects, depending on how you have Outlook configured. If you're using Outlook with Exchange then the unwanted plain text email is only sent one hop to the intended recipient and can't be forwarded on.

But if you're running Outlook under SMTP then the unwanted email leaks to not only the recipient but also to all mail servers along the path. Potentially that's a security nightmare.

Microsoft claimed the exploitation of this bug was "unlikely" in the wild. Some infosec professionals argued it was a little too easy to exploit:

SEC Consult said it noticed the issue in May, reported it Microsoft, and hadn't heard back from the Windows giant as to how long this has been a problem. Redmond fixed the issue in October's Patch Tuesday bundle, so apply the security update as soon as possible. And also consider that any plain-text-formatted S/MIME messages sent from Outlook may have been read over the wire by miscreants. ®

58 Comments

Similar topics

Broader topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022

Your Consent Options Cookies Privacy Ts&Cs